[strongSwan-dev] High Availability
Daniel Palomares
palomaresdaniel at gmail.com
Thu Apr 21 17:50:50 CEST 2011
Hello Guys,
I'm working with the High Availability plugin and its new features. I have
some questions regarding the code.
I did notice that the HA Plugin has different listeners in order to
synchronize the SA's: "ike_rekeys", "ike_updown", "ike_rekey",
"ike_state_change" and "message_hook".
By the way, I see that "ike_updown" listener checks if a connection is being
set to UP or DOWN through the command line as for example:
> sudo ipsec up "connection-name"
What I don't get is why the tag of this message.type is HA_IKE_UPDATE
instead of HA_IKE_ADD ?
I mean, once you initiate a new connection, I would be more familiar with
HA_IKE_ADD instead of HA_IKE_UPDATE, because once we get a connection-name
up and established, It should be a new SA to synchronize for HA-PLUGIN,
isn't?. Maybe I'm simply getting the idea wrong with the names of the
messages (types)?
In the other hand, I don't get why a HA_IKE_ADD synchronization type message
would be generated from a "ike_keys" listener? Could someone help me on
this?
Hope I've been clear concerning these doubts!
I'm working in a Thesis concerning the study of mechanisms to assure the
connectivity through IKEv2/IPsec context. So I'm working on the transfer of
a Security Association from one node to another, for achieving this I'm
taking ideas from the ha_plugin of course.
My goal is not to synchronize every SA on a cluster but to take a SA
whenever I want and then been able to install it anywhere else.
Having a look at "ha_ike.c" , the METHODS *ike_keys* and
*ike_updown*describe how to create both HA_IKE_ADD and HA_IKE_UPDATE.
Then, when I had a look at "ha_dispatcher.c" I realized as well that the
message.type=HA_IKE_ADD generates a totally new IKE_SA, and
message.type=HA_IKE_UPDATE just update the information of a previously
checked_out IKE_SA.
Thanks for your help in advance,
PS: in order to install a new IKE_SA, I saw the *process_ike_add()* function
in "ha_dispatcher.c" which is quite clear.
Daniel Palomares Velásquez
Orange Labs de France Télécom
Doctorate Student
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20110421/2f503267/attachment.html>
More information about the Dev
mailing list